Perimeter Defense - Email Security > [T3]: Malicious URLs: phishing example

Let's look at the following phishing example:

 

Figure - zoom in


This is an actual typical phishing email that tries to steal users' credentials. Attackers craft a phishing email content to look as legit as possible so that they can deceive users. As we can see in the mail body, it asks users to verify their email address by clicking on the VERIFY EMAIL button. If we hover over the button, we can see the link's true destination, the phishing site where users will submit their credentials.

One of the valuable online services to analyze malicious Attachments/URLs/Emails quickly is ANY.RUN. It offers the ability to interact with suspected artifacts in a safe environment.
 

Figure - zoom in

 

To analyze something, you need to select 'New task' from the left pane, select if it's a URL or a file, and finally select the operating system you would like to execute the file or visit the URL on.
 

Figure - zoom in

 

Here is the link for the example phishing email we mentioned above.

 

Figure - zoom in


Any.Run provides a wealth of important information such as:

  • A verdict: whether the submitted file is malicious, suspicious, or clean.
  • Ability to download the sample.
  • Summary of indicators of compromises -IOCs (e.g., contacted domains, IPs, and URLs).
  • Running processes.
 
And more importantly, it shows snapshots of the phishing URL when the sample was first submitted. Attackers usually host their phishing pages on different servers because these links get blacklisted quickly by browsers and threat feeds. For example, visiting the phishing URL at the time of writing this sentence shows the following result: possibly one of the compromised servers where the attacker collected stolen credentials. Chrome flagged the site as suspicious.
 

Figure - zoom in

For SOC analysts, seeing how the attack looked like when it was first detected is very important because it adds a lot to the context. Fortunately, Any.Run keeps multiple snapshots of the attack in its original format, which can be viewed by moving the mouse right and left. As we can see, this was the phishing site:
 

Figure - zoom in
 

The view we saw above is for the history of the last analysis attempt for that sample file. SOC analysts can click the 'restart' button at any time to reanalyze the file and interact with it in a live environment, as in the following figure:
 

Figure - zoom in

 

You can also search ANYRUN's public database for more samples with specific criteria, which is very helpful for practicing with real samples seen in the wild.

 

Figure - zoom in

 

Bottom line, malicious URLs can come in different formats, such as phishing and downloadable malware samples. That makes it hard for defenders to block malicious URLs. But fortunately, some security controls are very effective at neutralizing malicious URL threats. Let's see available defenses in the next section.

← Prev Dashboard Next →